VLAN for Management Traffic
Hello Everyone,
I'm still learning cisco and networks in general but I need to separate management traffic from the regular network. The switch is a cisco catalyst 5406-E. My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
Switch(config)# vlan 15
switch(config-vlan)# name Management
switch(config)# interface GigabitEthernet2/6
switch(config-if)# switchport access vlan 15
Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15. How do I add it to a new subnet? Am I going in the right direction?
In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
Example:
==== C4500 – L3 SWITCH CONFIG ====
//create VLAN 15
vlan 15
name MGMT
//create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
//Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
ip access-list extended MGMT_SWITCH
remark ====ICMP====
permit icmp any 10.0.15.0 0.0.0.255
remark ====ADMIN====
permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
remark ====MONIORING-SERVERS====
permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
remark ====NTB-SERVICE====
permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
//create SVI/interface of the VLAN 15, add IP address and assign access list
//Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
interface Vlan15
description MGMT
ip address 10.0.15.1 255.255.255.0
ip access-group MGMT_SWITCH out
//create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
ip access-list standard VTY
remark ====ADMIN====
permit 10.0.1.0 0.0.0.255
remark ====MONIORING-SERVERS====
permit 10.0.100.0 0.0.0.255
remark ====NTB-SERVICE====
permit 10.0.200.0 0.0.0.255
//assign ACL to vty lines
line vty 0 4
access-class VTY in
==== OTHER L2-ONLY SWITCHES CONFIG ====
//create VLAN 15
vlan 15
name MGMT
//create SVI 15
interface Vlan15
description MGMT
ip address 10.0.15.50 255.255.255.0
//set default gateway/default route to SVI of c4500
ip default-gateway 10.0.15.1
//some higher-level switches require use of following CLI parameters instead:
ip routing
ip route 0.0.0.0 0.0.0.0 10.0.15.1
This is just one of many ways to do the management separation.
Similar Messages
-
Separate VLAN for manag. only on wire?
I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
Regards,
Pauli BorodulinHere is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
encryption vlan 186 mode wep mandatory
encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
encryption vlan 187 mode wep mandatory
ssid weponly
vlan 186
authentication open
ssid wepeap
vlan 187
authentication open eap eap_methods
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2412
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.186
encapsulation dot1Q 186
no ip route-cache
no cdp enable
bridge-group 186
bridge-group 186 subscriber-loop-control
bridge-group 186 block-unknown-source
no bridge-group 186 source-learning
no bridge-group 186 unicast-flooding
bridge-group 186 spanning-disabled
interface Dot11Radio0.187
encapsulation dot1Q 187
no ip route-cache
no cdp enable
bridge-group 187
bridge-group 187 subscriber-loop-control
bridge-group 187 block-unknown-source
no bridge-group 187 source-learning
no bridge-group 187 unicast-flooding
bridge-group 187 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.101
encapsulation dot1Q 101 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.186
encapsulation dot1Q 186
no ip route-cache
bridge-group 186
no bridge-group 186 source-learning
bridge-group 186 spanning-disabled
interface FastEthernet0.187
encapsulation dot1Q 187
no ip route-cache
bridge-group 187
no bridge-group 187 source-learning
bridge-group 187 spanning-disabled
interface BVI1
ip address 172.25.101.17 255.255.255.0
no ip route-cache
ip default-gateway 172.25.101.1 -
Change cipher strength for management traffic
Hi All,
I’m performing a new deployment for my customer on a C370 Ironport and my customer has an internal team performing a band test on the Ironport box. The results show that the management traffic (HTTPS) is only using medium strength traffic (56bits – 112bits) in which does not meet the compliance of the organization. From the knowledge base, I checked that our management traffic is using either RC4-SHA or RC4-MD5. Any way to change this to AES or 3DES?
Besides that, in the band test, customer also notices that the box supports anonymous SSL ciphers. Any way to disable this?
Thanks.Hi there,
check out these articles:
Article #1399: How can I alter what ciphers are used with the Graphical User Interface (GUI)? Can I disable SSL v2 for the GUI? Link: http://tools.cisco.com/squish/80676
Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E
So to exclude low and anonymous ciphers, sompthing like this would apply:
HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH
Hope that helps,
Andreas -
VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo -
JumboFrames on cisco3750g for iSCSI traffic
Hello Communality,
I need you help!
here is the goal: connect SAN and vmware ESXi by iSCSI via cisco3750g.
on cisco I'm using a separated vlan for iSCSI traffic.
So after turning on the JumboFrames on cisco ( system mtu jumbo 9000 > reload) I was trying to test it using PING command from the switch without success :-(
#show system mtu
System MTU size is 1500 bytes
System Jumbo MTU size is 9000 bytes
System Alternate MTU size is 1500 bytes
Routing MTU size is 1500 bytes
#ping 192.168.0.21 size 9000 df-bit repeat 1
Type escape sequence to abort.
Sending 1, 9000-byte ICMP Echos to 192.168.0.21, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 0 percent (0/1)
#show int gi1/0/3 mtu
Port Name MTU
Gi1/0/3 iSCSI 9000
#show vlan mtu
VLAN SVI_MTU MinMTU(port) MaxMTU(port) MTU_Mismatch
1 1500 9000 9000 No
192 1500 9000 9000 No
#show ru int gi1/0/3
Building configuration...
Current configuration : 108 bytes
interface GigabitEthernet1/0/3
description iSCSI
switchport access vlan192
switchport mode access
end
thanks!Hello
Does the interface need to be an access port or trunk?
res
Paul -
Question about setting vlan for Video Teleconference Equipment
We recently purchased some Video Teleconference equipment (Product called LifeSize). Initially we had configured a seperate vlan for VTC traffic and when a user needed to move the vtc equipment to a different room for a meeting, we would have to manually go in change the vlan assignment on the switch for that port to the VTC vlan. From my understanding, there is a way to set this up so that anytime the vtc is plugged into any switch port, the port would automatically update to the proper VTC vlan. Is there a way to configure the switch to change the vlan option anytime the VTC equipment is plugged into any switchport? We are using Cisco 3750G series switches. There is an option on the VTC equipment for vlan configuration where we can specify the vlan. However, we we set the vlan, we loose connectivity to the device. If the vlan is preconfigured on the VTC equipment, what is the proper configuration on the switch port?
Thx in advance for any help given.You would need a radius server to do 802.1x authentication. The radius server can associate the vlan you want to use with the authentication. So basically the device connects to the switch port, the device is challenged for credentials by the switch, it responds and then the switch passes the authentication details to the radius server. If the authentication was succesful the radius server can then pass a number of attributes back to the switch one of which is the vlan the port is to be assigned to.
There is an additional issue with your setup in that generally 802.1x is used to authenticate clients which have an 802.1x supplicant on it but i suspect your equipment won't. So you can configure the mac authentication bypass feature. What happens here is the switch challenges your equipment but there is no response. Once the challenge has timed out you can configure the switch to then use the mac address of the connected device to authenticate it to the radius server.
Here is the link for configuring 802.1x on the 3750 switch -
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1205506
Note the restrictions just in case they affect your setup.
As for the radius server the Cisco version is ACS. There are others but you would need to make sure they supported everything needed.
Final point. I have never used 802.1x to do dynamic vlan assignment so i can't guarantee anything.
Jon -
Question in regard to management VLAN for each Context in ACE module
Dear Pros,
I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
2) If it does require that, what IP address should I used for default route in each context.
I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
Any suggestions or if you can point me to location as always will be greatly apprecaited.
Thanks and best regards.
Raman AzizianHi,
you have several options to choose from.
1. Use Admin context for management
You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
+ Easy and straightforward
- snmp and syslog are using the ip from each individual context and not the management IP
2. Use a Large subnet and assign an IP address in each context for management.
You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
+ each context has its own managment address
- static routes need to be added
3. Use your client-side ip address (or BVI) as management address.
You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
+ no static routes needed
- inline management
Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
HTH,
Dario -
Is it possible to use management Vlan as FT Vlan for ACE4710?
Is it allowed to configure ACE4710 management vlan as a FT vlan between two appliances? If allowed, what's the consequence of not using a dedicated FT Vlan?
Thanks a lotYou should not have any other traffic on the dedicated FT vlan.
This is from the docs.
Note Do not use this dedicated VLAN for any other network traffic, including HSRP and data
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/redundcy.html#wp999787
Having any other traffic on this vlan could cause a problem with FT heart beats being dropped, and both ACE could become active. Definitely use a dedicated FT Vlan.
Regards
Jim -
Configuring Management VLAN for standalone Nexus 5k
Hi All,
The architecture in the attachment doesnt require redundancy and hence has a single N5k with N2k as FEX. The setup is working fine except for the management vlan and mgmt 0 interface being down.
As of now, mgmt0 interface has no link connected to it. The VLAN for nexus management is also down as mgmt0 cant be assigned to vlans.. Configuring management IP to Loopback interface also doesnt allow adding the same to management vlan.
Is mgmt0 an RJ45 compatible port with N5596? and is there a way I can have out of band management for Nexus 5596? Is there a way I can assign a management IP to the FEX?
Thanks for the inputs.
Thanks,
Bala SHello Balachandhar,
Mgmt interface on N5K exists to provide out of band management to the device.
Mgmt interface belongs to management vrf. You can reach the N5K on mgmt interface once you configure IP to mgmt interface and connect it to upstream switch port belonging to mgmt vlan.
The FEX cannot be seperately managed. You need to connect to the parent N5K device and manage it.
HTH
Padma -
VLAN prioritization for SAN traffic
I have a stack of 3750's running two VLANs, one for NFS traffic (id 130) and one for iSCSI traffic (id 150). I have jumbo framing (MTU 9000) on VLAN 150. I'd like to try prioritizing the iSCSI traffic using 802.1p. Can anyone point me to some configuration help? Does anyone have any thoughts or experiences with this idea? Thanks!
The MDS GE/iSCSI interface can set the DSCP value on outbound IP packets, but that is in the IP header (layer 3). From what I recall, the 802.1p bits are in the Layer 2 field between the MAC addresses and the Ethernet type, and from what I understand, the MDS does not provide any marking at that level.
You could mark via 802.1p inbound on the Ethernet Switch that the MDS GE port is attached to, but not directly out of the MDS GE port.
If you are interested in marking iSCSI using DSCP, here is web page describing how you set the iSCSI interface for the desired DSCP value.
Hope this helps,
Mike -
Do i need to explicitly define management traffic coming to the ace module, i see in a lot of configurations that they allow managerment traffic in a special class to the ace?
also it is necessary to apply an access-list to the ace module to accept traffic for the vip, what if i do not use any access-list on the ace, will the traffic go through?Yes you need to define allowed traffic to the ace. The ace acts as an implicit deny. It will block everything until you allow it. The first policy/class match that you should define is the management traffic class.
access-list ALL line 8 extended permit ip any any
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 121
ip address
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown -
Transparent vlan and management of remote switch
Hi,
I'm a bit confused regarding the native Vlan of 1262 bridge ...
My design is LAN---RAP ---- MAP---remote-SWITCH with two Vlan : one for the data and one for the management.
I keep the vlan 1 for management at this point, but I'm still unable to access the remote switch.
On LAN side, the switch port is on trunk mode (native vlan 1 and vlan 2 allowed)
On RAP the Gigabit Ethernet is on normal mode
On MAP the Gigabit Ethernet is on normal mode
On remote-SWitch, the switch port is on trunk mode (native vlan 1 and vlan 2 allowed)
Transparent vlan is disabled on WLC and Ethernet Bridging is checked for both AP.
It seems that it's not possible to bridge the Vlan1 as it used for the backhaul so does it means
that for management purpose I must use a specific Vlan-id ? And if my understanding is correct, to define this vlan-id
as native on MAP with the Ethernet Port set as Trunk and on others switchs ( LAN side and remote-Switch).
thks for your replyIf you have Ethernet bridging enabled and have defined the vlan for the bridging, then the rap has to be connected to a trunk port and the traffic from the device that is connected to the MAP will egress out of the RAP's Ethernet port onto the trunk port. If you don't define and vlan for bridging then the traffic will be placed on the vlan the RAP is assigned to.
https://supportforums.cisco.com/servlet/JiveServlet/downloadBody/21766-102-1-53166/Understanding%20mesh%20ethernet%20bridging.pptx
https://supportforums.cisco.com/docs/DOC-21766
Sent from Cisco Technical Support iPhone App -
About the Native Vlan and Management Vlan.
I wanted to know that Management vlan and Native vlan can be different vlan id or both should be same vlan id. Why should not be native vlan 1.
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
a
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
Hope this helps ! -
WAAS VLAN - not all traffic is being forwarded to WAE
Hi, I've configured a WAAS topology based on this Cisco document
(http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/ccmigration_09186a008081c7da.pdf)
where the WAE's are in their own VLAN and there is a trunk between the 2 edge routers and 2 6509 switches (the WAE's connect to this switch). Both the "data" vlan and the WAAS vlan is participating in EIGRP which means that traffic is being routed over both sub-interfaces. The problems is that one of the sub-interfaces has the "ip wccp redirect exclude in" command configured so only half the traffic will be passed to the WAE's. Has anyone come across this before? Should I be removing the WAAS vlan from EIGRP and using the second interface on the WAE for management in a seperate subnet?
interface GigabitEthernet0/0
description Trunk link to 6500
no ip address
interface GigabitEthernet0/0.901
description WAN Edge VLAN
encapsulation dot1Q 901 native
ip address 10.7.7.2 255.255.255.224
ip wccp 61 redirect in
ip wccp 62 redirect out
interface GigabitEthernet0/0.902
description WAAS VLAN
encapsulation dot1Q 902
ip address 10.7.9.1 255.255.255.240
ip wccp redirect exclude in
standby 1 ip 10.7.9.3
standby 1 timers 1 3
standby 1 priority 110
standby 1 preempt delay minimum 1
standby 2 ip 10.7.9.4
standby 2 timers 1 3
standby 2 priority 120
standby 2 preempt delay minimum 1
Edge_Router#sh ip ro 10.6.1.181
Routing entry for 10.6.1.0/21
Known via "eigrp 1", distance 90, metric 28928, type internal
Redistributing via eigrp 9
Last update from 10.7.7.1 on GigabitEthernet0/0.901, 08:18:01 ago
Routing Descriptor Blocks:
10.7.7.1, from 10.7.7.1, 08:18:01 ago, via GigabitEthernet0/0.902
Route metric is 28928, traffic share count is 1
Total delay is 130 microseconds, minimum bandwidth is 100000 Kbit
Reliability 245/255, minimum MTU 1500 bytes
Loading 12/255, Hops 3
* 10.7.9.1.2, from 10.7.9.1.2, 08:18:01 ago, via GigabitEthernet0/0.901
Route metric is 28928, traffic share count is 1
Total delay is 130 microseconds, minimum bandwidth is 100000 Kbit
Reliability 245/255, minimum MTU 1500 bytes
Loading 12/255, Hops 3BRADLEY,
In this case you should make the data VLAN passive (from an EIGRP perspective) and use the WAE VLAN as a transit between the two routers. You don't want traffic coming in from the WAE VLAN to get re-intercepted.
Zach -
Administration port - network channel for admin traffic
I am trying to configure a separate channel for Administration traffic on weblogic. I followed the oracle docos and configured the SSL, domain wide admin port, server listen address, ‘admin’ channel.
The issue is admin traffic in not happening through the newly created channel.
L2 network is not getting used. I can’t see any activity in the monitoring tab of new Channel. Also the netstat is showing that the port 9101/9102 is getting used on the 192.168.100.218 and not on 10.254.252.849.
I also tried by setting up the newly created channel weight as 51, but no luck.
Is JMX connectivity related to admin channel?
Any help is highly appreciated. Thanks.
Ipconfig:
Admin: adminserver701.mycompany.internal, 192.168.100.238, 10.254.252.808
Managed: appserver701.mycompany.internal, :192.168.100.218, 10.254.252.849
Domain wide admin port: 9101
Admin:
Listen address –> adminserver701.mycompany.internal
Channel –> admin -> 10.254.252.808/9101
Startup -> -Dweblogic.admin.ListenAddress=admin://10.254.252.808:9101
Managed:(appserver701)
Listen address –> appserver701.mycompany.internal
Admin port override: 9102
Channel –> admin -> 10.254.252.849/9102
Startup -> -Dweblogic.admin.ListenAddress=admin://10.254.252.849:9102
AdminServer Logs:
####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613346> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.runtime .>
####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613353> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.edit .>
####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[STANDBY] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613367> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.domainruntime .>
####<Feb 18, 2013 1:53:36 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159616699> <BEA-002613> <Channel "DefaultAdministration" is now listening on 192.168.100.238:9101 for protocols admin, ldaps, https.>
####<Feb 18, 2013 1:53:36 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159616700> <BEA-002613> <Channel "Channel-0" is now listening on 10.254.252.808:9101 for protocols admin, ldaps, https.>
####<Feb 18, 2013 1:55:12 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-000000000000001a> <1361159712920> <BEA-002613> <Channel "Default" is now listening on 192.168.100.238:7001 for protocols iiop, t3, ldap, snmp, http.>
####<Feb 18, 2013 1:55:12 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-000000000000001a> <1361159712920> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.100.238:7002 for protocols iiops, t3s, ldaps, https.>
ManagedServer Logs:
####<Feb 18, 2013 2:54:19 PM EST> <Info> <JMX> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163259911> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://appserver701.mycompany.internal:9102/jndi/weblogic.management.mbeanservers.runtime .>
####<Feb 18, 2013 2:54:20 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163260350> <BEA-002613> <Channel "Channel-0" is now listening on 10.254.252.849:9102 for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
####<Feb 18, 2013 2:54:20 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163260350> <BEA-002613> <Channel "DefaultAdministration" is now listening on 192.168.100.218:9102 for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
####<Feb 18, 2013 2:54:58 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <d3208ed6c2482016:-46ac5fed:13ceba69a8e:-7ffe-000000000000000e> <1361163298045> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.100.218:7102 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
####<Feb 18, 2013 2:54:58 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <d3208ed6c2482016:-46ac5fed:13ceba69a8e:-7ffe-000000000000000e> <1361163298045> <BEA-002613> <Channel "Default" is now listening on 192.168.100.218:7101 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>
AdminServer logs update while starting managed:
####<Feb 18, 2013 2:54:57 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-0000000000000162> <1361163297488> <BEA-149506> <Established JMX Connectivity with adp_ms01 at the JMX Service URL of service: jmx:admin://appserver701.mycompany.internal:9102 /jndi/weblogic.management.mbeanservers.runtime.>
Admin Server :
[oracle@adminserver701 bin]$ netstat -an | grep 9101
tcp 0 0 10.254.252.808:9101 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.238:9101 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.238:9101 192.168.100.218:59038 ESTABLISHED
I am wondering if the JMX connectivity is using the server listen address (adminserver701.mycompany.internal) which will by default resolve to 192.168.100.238. Is there a way to force JMX to use 10.254.252.808?Hi
For first question the answer is no. With the administration port, you enable the SSL between the admin server and Node manager-managed Servers. You can still use the web console.
For teh second question, you can use ANT or can use the WLS Scripting ..you can get more details in dev2dev.bea.com
Jin
Maybe you are looking for
-
Using Subquery in Prepared Statement
can i use subquery in my insert using prepared statement need to specify the * property eg: insert into table1 values(select * from table2)
-
How do I turn off file vault when my hard drive is full?
I am trying to migrate all my files onto a new MacBook Pro but my current computer has file vault turned on. To turn it off and decrypt my user home folder I need more space on my hard drive. I have tried cloning my MBP onto a larger external drive a
-
Printing problem in CR 9.2 on Vista
Post Author: arullp CA Forum: Crystal Reports Hi,I have a problem with VB6 application using Crystal Report 9.2 ActiveXViewers and RDC deployed on Vista. The reports are displayed correctly on the ActivexViewer (CRViewer9), but when the user prints t
-
I purchased the 30 day subscription of Adobe Pro for my Mac Air and downloaded the app and opened it as instructed. Nothing appears to happen after that and I have been unable to use Adobe Pro thus far.
-
Impossible de partitioner le disque dur pour installer Windows
Hello, I tries to put windows 7 on my MBP ( MacBook Pro (Retina, 15-inch, Late 2013 / OS X 10.10.2 ) with BootCamp , unfortunately after installing everything on the key bootable usb mac asks me to create a partition for Windows, and this bug : s :